T-Mobile AustriaVerified account

Hi @c_pellegrino, I really do not get why this is a problem. You have so many passwords for evey app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear. ^Käthe

Well, what if your infrastructure gets breached and everyone’s password is published in plaintext to the whole wide world?

@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe

Bad news for you Käthe, nobody’s security is that good. No, not even yours. It’s not that I say you are 100% getting hacked - what if an employee accesses the database directly?

@Korni22 Excuse me? Do you have any idea how telecommunication companies work? Do you know anything about our systems? But I'm glad you have the time to share your view with us. ^Käthe

Well, I do since I worked for @deutschetelekom, but thanks for asking. 3 years of something that’s called „Ausbildung“ a bit more as contractor.

@Korni22 So, you never worked for us in Austria though. But thank you very much for sharing your opinion. ^Käthe

is that true? that would be an awful thing to do, and prohibited by law as well.

Dear @Telekom_group I hold two degrees in it/software/distributed systems, crypto was part of these studies, also I worked as a contractor for a T company and this is just ridiculous! You are playing with the security of your customers, risking identity theft and worse...

And it doesn’t matter how secure your systems are! you can’t guarantee that your employees will not abuse this data or that an attacker gets access through social engineering etc. Even they see only 4 characters you’re significantly lowering complexity of a brute force attack.

Just to link this here: First XSS vulnerability already demonstrated. This means people can inject code in your website and potentially have it executed on somebody else‘s machine/account. Do you still want to discuss?https://twitter.com/fabricio_giglio/status/982362735924137984?s=21 …

And there‘s more regarding the security claim...https://twitter.com/alessandrinoino/status/982356908496564224?s=21 …

Somebody should probably write up a summary. What happened, why is it bad, on what levels, what can companies and individuals do to take it forward in a constructive manner.

For a possible summary I‘d like to leave some ideas: - what we saw was the response of an individual, they are part of a system -> systems dominate, the problem always lies within the system - „we know better anyway“ is a cultural issue -> hinders adoption of best practice 1/n

- There is no reason from a usability perspective to store passwords in plain text, even if there was it’s unethical as we‘re playing with the security of customers here - Even storing passwords in plaintext partially significantly lowers the complexity of some attacks 2/n

In fact: you do not need the password. A non reversible, salted hash of that password is enough. @1und1 sent me my password by mail some years back and their support was just as oblivious. My post didn't explode back then. They opened a ticket but I never heard back.

Oh wow, 1und1 By the way, this thread had failed to get any public attention, too, until @troyhunt happened to retweet it

@TMobile_CZE - can you please confirm that this practice is / isn't the same for customers in CZ?